diff options
author | Shane Lontis <shane.lontis@oracle.com> | 2019-11-18 13:13:05 +1000 |
---|---|---|
committer | Shane Lontis <shane.lontis@oracle.com> | 2019-11-18 13:13:05 +1000 |
commit | f75abcc0f073b1c3e2d81df3fcde8fe45dd1e61f (patch) | |
tree | 9e55a53ddf04b053cc081fbe0c9e8244a13b5f22 /providers/common | |
parent | de0799b0fc845869d775520382b4e7f9995732e5 (diff) |
Fix Use after free when copying cipher ctx
Fixes #10438
issue found by clusterfuzz/ossfuzz
The dest was getting a copy of the src structure which contained a pointer that should point to an offset inside itself - because of the copy it was pointing to the original structure.
The setup for a ctx is mainly done by the initkey method in the PROV_CIPHER_HW structure. Because of this it makes sense that the structure should also contain a copyctx method that is use to resolve any pointers that need to be setup.
A dup_ctx has been added to the cipher_enc tests in evp_test. It does a dup after setup and then frees the original ctx. This detects any floating pointers in the duplicated context that were pointing back to the freed ctx.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10443)
Diffstat (limited to 'providers/common')
-rw-r--r-- | providers/common/include/prov/ciphercommon.h | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/providers/common/include/prov/ciphercommon.h b/providers/common/include/prov/ciphercommon.h index 2f77f48712..c9b0034017 100644 --- a/providers/common/include/prov/ciphercommon.h +++ b/providers/common/include/prov/ciphercommon.h @@ -68,6 +68,7 @@ struct prov_cipher_ctx_st { struct prov_cipher_hw_st { int (*init)(PROV_CIPHER_CTX *dat, const uint8_t *key, size_t keylen); PROV_CIPHER_HW_FN *cipher; + void (*copyctx)(PROV_CIPHER_CTX *dst, const PROV_CIPHER_CTX *src); }; OSSL_OP_cipher_encrypt_init_fn cipher_generic_einit; @@ -233,6 +234,16 @@ static int cipher_hw_##NAME##_##MODE##_cipher(PROV_CIPHER_CTX *ctx, \ return 1; \ } +#define IMPLEMENT_CIPHER_HW_COPYCTX(name, CTX_TYPE) \ +static void name(PROV_CIPHER_CTX *dst, const PROV_CIPHER_CTX *src) \ +{ \ + CTX_TYPE *sctx = (CTX_TYPE *)src; \ + CTX_TYPE *dctx = (CTX_TYPE *)dst; \ + \ + *dctx = *sctx; \ + dst->ks = &dctx->ks.ks; \ +} + #define CIPHER_DEFAULT_GETTABLE_CTX_PARAMS_START(name) \ static const OSSL_PARAM name##_known_gettable_ctx_params[] = { \ OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_KEYLEN, NULL), \ |